Deployment Architecture

issue with Splunk Indexing and VMSTAT

ianthompson
New Member

Hi:
We are new to splunk and have an issue. When we look at the VMSTAT result we seem to have to different issues
in one we see the data on line 1 and the headers for the data in line 2 and the other issue is we see headers only.

We are running sun solaris 10 with the same patch number.
I have looked in the log files in the forwarder and I don't see anything to suggest an issue.
Has anyone come across this problem before and if so can you give some guidance?

Tags (2)
0 Karma

ianthompson
New Member

On the main indexer (IE not the universal forwarder as that only fires data over and does nto process it)
In the directory
[wherever you have put the main Splunk indexer]\Splunk\etc\system\local
NB this dir is where you put your own additions to the config files for splunk so you don’t mess with the original ones.

In the file
props.conf (You may need to create one of these if one does not exist)

Add
[source::vmstat]
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE = memTotalMB

This (I believe) tells splunk to allow line merge (SHOULD_LINEMERGE). Then BREAK_ONLY_BEFORE tells splunk what to look for to break on. So in the case of vmstat this is the first element on the first line of the output so splunk will break the event on that. So it will see one of these and break all date before the string. Then continue merging lines intil it sees another instance of the string and does a break so all info between the 2 becomes 1 event.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.